Date: Wed, 15 Mar 2006 16:08:58 +0100
From: Jiri Benc <jbenc@suse.cz>
To: Bernd Petrovitsch <bernd@firmix.at>
Cc: rusty@rustcorp.com.au, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] modpost: fix buffer overflow
Message-ID: <20060315160858.311e5c0e@griffin.suse.cz>
In-Reply-To: <1142434648.17627.5.camel@tara.firmix.at>
References: <20060315154436.4286d2ab@griffin.suse.cz>
	<1142434648.17627.5.camel@tara.firmix.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1409
Lines: 48

On Wed, 15 Mar 2006 15:57:28 +0100, Bernd Petrovitsch wrote:
> Silly me. To make it more obvious whatz I really meant was:
> ----  snip  ----
> 	if (buf->size - buf->pos < len + 1) {
> 		while (buf->size - buf->pos < len + 1)
> 			buf->size += 128;
> 		buf->p = realloc(buf->p, buf->size);
> 	}
> ----  snip  ----

Yes, this is probably better. New version of the patch follows.

---->8----

I got SIGABRT in modpost when compiling a module really deeply nested in
a filesystem (path > 100 chars):

>   Building modules, stage 2.
>   MODPOST
> *** glibc detected *** scripts/mod/modpost: realloc(): invalid next size: 0x0809f588 ***
> [...]

This patch fixes that problem.

Signed-off-by: Jiri Benc <jbenc@suse.cz>

--- linux-2.6.16-rc6.orig/scripts/mod/modpost.c
+++ linux-2.6.16-rc6/scripts/mod/modpost.c
@@ -553,7 +553,8 @@ void __attribute__((format(printf, 2, 3)
 	va_start(ap, fmt);
 	len = vsnprintf(tmp, SZ, fmt, ap);
 	if (buf->size - buf->pos < len + 1) {
-		buf->size += 128;
+		while (buf->size - buf->pos < len + 1)
+			buf->size += 128;
 		buf->p = realloc(buf->p, buf->size);
 	}
 	strncpy(buf->p + buf->pos, tmp, len + 1);


-- 
Jiri Benc
SUSE Labs
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/